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AMENDMENTS TO THE CLAIMS 

1 . (Currently Amended) An apparatus for selectively encrypting data for transmission 
over a network between a server and a client, the apparatus comprising: 

a parser configured to parse a first pavload portion of the data from a s e cond 
non-pavload portion of the data that do e s not id e ntify a data typ e of th e pavload portion ; 

an encrypter configured to determine if the first pavload portion of the data is to be 
encrypted by insp e cting examining the first pavload portion of the data to recognize a predefined 
data type, th e insp e ction b e ing ind e p e nd e nt of a pack e t h e ad e r, and if it is to be encrypted, to 
encrypt the first pavload portion of the data; and 

a data combiner configured to combine the first pavload portion of the data with the 
s e cond non-pavload portion of the data, wherein the se cond non-pavload portion of the data 
includes more than routing information. 

2. (Previously Presented) The apparatus of claim 1, wherein the data includes 
streaming data. 

3. (Cancelled) Th e apparatus of claim 1, wh e r e in th e first portion of th e data includes 
payload data . 

4. (Currently Amended) The apparatus of claim 1 5 wherein the s e cond non-pavload 
portion of the data includes at least one of a header, control data and routing data. 

5. (Currently Amended) The apparatus of claim 1, further comprising a transmitter 
configured to send the combined first pavload and s e cond non-pavload portions of the data over the 
network to the client. 

6. (Previously Presented) The apparatus of claim 1, further comprising a receiver 
configured to receive the data from the server before the data is sent over the network to the client. 

7. (Previously Presented) The apparatus of claim 1 , further comprising a device 
configured to establish a data stream between the server and the client. 
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8. (Previously Presented) The apparatus of claim 1, further comprising a key negotiator 
configured to negotiate an encryption key with the client. 

9. (Previously Presented) The apparatus of claim 8, wherein key negotiation and key 
exchange occur during transmission of a stream. 

10. (Previously Presented) The apparatus of claim 9, wherein the encrypter is 
transparent to the server. 

11. (Previously Presented) The apparatus of claim 8, wherein key negotiation can 
determine if the encryption key is current. 

12. (Currently Amended) The apparatus of claim 1, further comprising a decrypter 
configured to decrypt the first pavload portion of the data. 

13. (Previously Presented) The apparatus of claim 1, wherein the parser is further 
configured to parse the data into different portions based on a media format. 

14. (Currently Amended) The apparatus of claim 1, wherein the encrypter is further 
configured to encrypt the first pavload portion of the data based on a media format. 

15. (Currently Amended) The apparatus of claim 1, wherein the apparatus is 
implemented utilizing an application that includes a pluggable core encoding an encryption 
algorithm for encrypting the first pavload portion of the data, wherein the pluggable core enables 
the encryption algorithm to be readily changed. 

16. (Previously Presented) The apparatus of claim 1, wherein the apparatus in 
implemented on an encryption bridge. 

17. (Currently Amended) A method for selectively encrypting data received from a data 
source, the data including first pavload and s e cond non-pavload portions which differ from each 
other in at least one characteristic, the received data to be subsequently sent over a network to a 
client, the method comprising: 



{S:\08223\OOOS102-USO\80027927.DOC IMllIIllinillllllOHl } 



3 



Application No.: 09/656,166 



4 



Docket No. : 08223/000S 1 02-USO 



parsing the received data into portions including the first pavload and s e cond 
non-pavload portions; 

determining if the first pavload portion is to be encrypted based on a format of the first 
pavload portion of the data by in s p e cting examining the first pavload portion of the data to 
recognize a predefined data type, ind e p e nd e nt of a packet h e ad e r, and if it is to be encrypted, 
encrypting the first pavload portion of the received data; and 

sending the received data including the first pavload portion and the s e cond non-pavload 
portion of the received data over the network to the client. 

18. (Previously Presented) The method of claim 17, wherein the data source is a server. 

19. (Previously Presented) The method of claim 17, further comprising determining 
whether a stream is established between a server and the client. 

20. (Previously Presented) The method of claim 17, further comprising negotiating an 
encryption key with the client. 

21. (Previously Presented) The method of claim 20, wherein the received data from the 
data source is streaming data sent during a streaming session and the negotiating of the encryption 
key is carried out during the streaming session. 

22. (Previously Presented) The method of claim 20, wherein the received data from the 
data source is streaming data sent during a streaming session, the method further comprising 
examining the client during the streaming session and terminating the streaming session if the 
encryption key on the client is invalid. 

23. (Previously Presented) The method of claim 20, wherein the encryption key is 
negotiated with a decryption shim on the client. 

24. (Previously Presented) The method of claim 17, further comprising determining 
whether the received data is streaming data. 
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25. (Previously Presented) The method of claim 24, further comprising parsing, 
encrypting and sending the data if the data is streaming data and sending the data if the data is not 
streaming data. 

26. (Previously Presented) The method of claim 17, further comprising determining 
whether a shim is present on the client. 

27. (Previously Presented) The method of claim 26, further comprising sending a shim 
to the client if it is determined that the shim is not present on the client. 

28. (Previously Presented) The method of claim 17, further comprising determining 
whether an encryption key on the client is current. 

29. (Currently Amended) The method of claim 17, wherein the data includes a payload 
data portion and at least one of a header, control data and routing data. 

v. 

30. (Cancelled) Th e m e thod of claim 29, wh e r e in th e first portion of th e data includ e s 
th e payload data portion. 

31. (Previously Presented) The method of claim 17, wherein the data received from the 
data source for sending to the client is a stream of packets, the method further comprising 
determining whether a packet is the last packet in a data stream. 

32. (Previously Presented) The method of claim 31, further comprising receiving 
feedback from a decryption shim on the client if it is determined that the packet is not the last 
packet in the data stream. 

33. (Previously Presented) The method of claim 17, further comprising determining 
whether the client is compromised. 

34. (Currently Amended) The method of claim 33, further comprising continuing 
parsing, encrypting and sending the data into the fet payload and s e cond non-pavload portions if it 
is determined that the client is not compromised. 
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35. (Previously Presented) The method of claim 33, further comprising terminating the 
sending to the client if it is determined that the client is compromised. 

36. (Currently Amended) A method for streaming data at a client, the data including first 
payload and s e cond non-pavload portions which differ from each other in at least one characteristic, 
the data having been sent over a network to the client from an encryption source, the method 
comprising: 

receiving the data sent over the network; 

parsing the data into portions including the first payload and s e cond non-pavload 

portions; 

if the first payload portion of the data is encrypted based on a format of the first payload 
portion of the data, as determined by an insp e ction examination of the first payload portion of the 
data to recognize a predefined data type, th e insp e ction being ind e p e nd e nt of a pack e t h e ader, 
decrypting the first payload portion of the data; and 

passing the decrypted first payload portion of the data to a higher level of operations for 
play in the client. 

37. (Previously Presented) The method of claim 36, further comprising prior to the 
parsing, determining whether the data is an unencrypted stream. 

38. (Previously Presented) The method of claim 37, further comprising passing the data 
to a higher level of operations without parsing and decrypting when it is determined that the data is 
an unencrypted stream. . 

39. (Previously Presented) The method of claim 36, further comprising negotiating a 
decryption key with the encryption source. 

40. (Previously Presented) The method of claim 39, wherein the streaming data is sent 
from the encryption source during a streaming session and said negotiating the decryption key is 
carried out during the streaming session. 
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41. (Previously Presented) The method of claim 39, further comprising terminating a 
stream if the decryption key is invalid. 

42. (Cancelled) Th e m e thod of claim 36, wh e rein th e first portion of th e data includ e s a 
payload data portion. 

43. (Previously Presented) The method of claim 36, wherein the data is sent from the 
encryption source over the network as a stream of data packets, the method further comprising 
determining whether a packet received by the client is a last packet in a data stream. 

44. (Previously Presented) The method of claim 43, further comprising sending 
feedback to the encryption source if it is determined that the packet is not the last packet in the data 
stream. 

45. (Previously Presented) The method of claim 36, further comprising determining 
whether the client is compromised. 

46. (Previously Presented) The method of claim 45, further comprising continuing the 
parsing, decrypting and passing the data as aforesaid if it is determined that the client is not 
compromised. 

47. (Previously Presented) The method of claim 45, further comprising terminating a 
streaming session if it is determined that the client is compromised. 

48. (Currently Amended) The apparatus of claim 3 claim 1, wherein the payload data 
includes multimedia data. 

49. (Previously Presented) The apparatus of claim 1, wherein the parser is further 
configured to parse the data into different portions based on a data protocol used to transmit a data 
stream. 

50. (Previously Presented) The apparatus of claim 1, wherein the parser parses the data 
based on the data protocol. 
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51. (Previously Presented) The method of claim 41, wherein the terminating of the 
encrypted stream includes sending a feedback signal to the encryption source instructing to stop 
sending the data over the network. 

52. (Previously Presented) The method of claim 36, further comprising terminating a 
streaming session based on a determination that the client is compromised. 

53. (Currently Amended) A method for selectively encrypting data for transmission 
over a network, the method comprising examining the data to identify a plurality of portions; 
determining if at least one portion is to be to encrypted by insp e cting examining the at least one 
portion to recognize a predefined data type, ind e p e nd e nt of a pack e t h e ad e r content, and if the at 
least one portion is to be encrypted, encrypting the at least one portion; and at least another 
portion to remain unencrypted, the plurality of portions being combined after such encryption 
determination. 

54. (Previously Presented) The method of claim 53, wherein the data is received from 
a data source, wherein the data includes streaming data and wherein the at least one data portion 
to remain unencrypted includes at least one of a header, control data and routing data. 

55. (Previously Presented) The method of claim 54, wherein the streaming data is 
included in the at least one data portion to remain unencrypted. 

56. (Previously Presented) The method of claim 55, further comprising: 
transmitting the combined data over the network to a client; and 
negotiating and exchanging a key with the client before the combined data is 

transmitted over the network to the client, the key enabling the client to decrypt the encrypted 
portion of the data for play on the client. 

57. (Previously Presented) The method of claim 56, wherein the streaming data is 
sent during a streaming session and wherein the negotiating and exchanging the key is carried 
out during the streaming session. 
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58. (Previously Presented) The method of claim 57, further comprising examining the 
client during the streaming session and terminating the streaming session if the key on the client 
is invalid. 

59. (Previously Presented) The method of claim 58, wherein the data source is a 
server and the examining of the data is carried out on an encryption bridge between the server 
and the network so that the examining of the data, encrypting and combining of the plurality of 
data portions is transparent to the server. 

60. (Previously Presented) The method of claim 59, wherein the key negotiating and 
exchanging and the decryption using the key is carried out using a shim on the client, the shim 
being configured so that the negotiating and exchanging of the key thereby and the decrypting of 
the data thereby is transparent to the client. 

61. (Currently Amended) An apparatus for selectively encrypting streaming data 
received from a streaming data source for transmission over a network to a client, the apparatus 
comprising: 

a parser configured to parse a plurality of portions of the streaming data; 

an encrypter configured to encrypt at least on e of th e plurality of data portions a 
pavload portion if it is determined^ based on an insp e ction examination of a format of the at l e ast 
on e of th e plurality of data portions the pavload portion to recognize a predefined data type, the 
d e t e rmination to e ncrypt being ind e p e nd e nt of a packet h e ad e r, that the at l e ast on e of th e 
plurality of data portions pavload portion is to be encrypted, but not encrypt at least one other 
data portion of the plurality of data portions; and 

a data combiner configured to combine the at l e ast on e e ncrypt e d data pavload 
portion with at least one unencrypted data portion. 

62. (Currently Amended) The apparatus of claim 61, further comprising a negotiator, 
wherein the negotiator negotiates and exchanges a key with the client before the combined data 
is transmitted over the network to the client, the key enabling the client to decrypt the at l e ast on e 
encrypted pavload portion of the data for play on the client. 
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63. (Previously Presented) The apparatus of claim 62, wherein the streaming data is 
sent from the streaming data source during a streaming session. 

64. (Previously Presented) The apparatus of claim 63, further configured to perform 
actions including examining the client during the streaming session and terminating the 
streaming session if the client has been compromised. 

65. (Currently Amended) The apparatus of claim 61, wherein a s e cond the at least one 
unencrypted data portion of the data includes at least one of a header, control data and routing 
data. 

66. (Previously Presented) The apparatus of claim 61, wherein the streaming data 
source is at least one server. 

67. (Currently Amended) An apparatus for selectively encrypting data received from 
a data source for transmission over a network to a client, comprising: 

a parser configured to parse at least two portions of the data, at least one of the two 
portions of the data including more than routing information for a packet; 

an encrypter configured to determine if only one portion of the data is to be encrypted 
based on an insp e ction examination of only the one portion the data to recognize a predefined 
data type, and ind e pend e nt of a pack e t h e ad e r insp e ction, and if it is to be encrypted, encrypting 
only the one portion of data not including the routing information for the packet; and 

a data combiner configured to combine the parsed at least two portions of the data 
following encryption of the one portion of data not including the routing information for the 
packet. 

68. (Previously Presented) The apparatus of claim 67, wherein the unencrypted 
portion of the data includes at least one of a header and control data. 

69. (Previously Presented) The apparatus of claim 68, wherein the parser parses the 
data into different portions based on a data protocol used to transmit the data. 
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70. (Previously Presented) The apparatus of claim 68, wherein the portion of the data 
to be encrypted includes media data encoded in a media format and wherein the encrypter 
encrypts the data to be encrypted based on the media format. 

71. (Previously Presented) The apparatus of claim 70, wherein the apparatus is 
implemented utilizing an application that includes a pluggable core encoding an encryption 
algorithm for encrypting the data, the pluggable core being replaceable to enable the encryption 
algorithm to be readily changed. 

72. (Previously Presented) The apparatus of claim 71, wherein the apparatus is 
implemented on an encryption bridge. 

73. (Currently Amended) An apparatus for selectively encrypting data received from 
a data source during a downloading operation, the data being received from the data source for 
transmission over a network to a client receiving the downloaded data, comprising: 

a parser configured to parse at least two portions of the data; 

an encrypter configured to determine if on e of th e portions a pavload portion of the 
data is to be encrypted based on a format of the one pavload portion of the data, wherein the 
format is determined based on an insp e ction examination of the ene pavload portion of the data 
to recognize a predefined data type , and if it is to be encrypted, encrypting only ene-ef the 
portions pavload portion of data; and 

a data combiner configured to combine the encrypted pavload portion of data with an 
unencrypted portion of data for transmission over the network. 

74. (Currently Amended) The apparatus as defined in claim 73, wherein the 
downloaded data is included in the encrypted pavload portion of the data. 

75. (Previously Presented) The apparatus of claim 74, wherein the unencrypted 
portion of data includes at least one of a header, control data and routing data. 

76. (Currently Amended) The apparatus of claim 75, further comprising a key 
negotiator configured to perform actions including negotiating and exchanging a key with the 



{S:\08223\000S102-US0\80027927.DOC HllIIllinilllllHIll } 



11 



Application No.: 09/656,166 



12 



Docket No.: 08223/000S102-US0 



client before the data is sent over the network to the client, the key enabling the client to decrypt 
the encrypted pavload portion of data. 

77. (Canceled) 

78. (Currently Amended) An apparatus for selectively encrypting data, received from 
a data source during a downloading operation and for selectively encrypting data received from a 
data source during a streaming operation, the data being received from the data source for 
transmission over a network to a client receiving the downloaded or streaming data, comprising: 

a means for parsing at least two portions of the data; 

a means for determining if em a pavload portion of the at least two portions of data is 
to be encrypted based on a format of the one portion of data that is determined by oth e r than a 
packet h e ader inspection recognizing a predefined data type in the pavload portion of the at least 
two portions , and if the em a pavload portion of data is to be encrypted, employing a means for 
encrypting only em the pavload portion of the at least two portions of data; and 

a means for combining the encrypted pavload portion of the data with the at least the 
unencrypted portion of the data for transmission over the network. 

79. (Previously Presented) The apparatus of claim 78, wherein during the streaming 
operation, the streaming data is included in the data portion that is to be encrypted. 

80. (Currently Amended) The apparatus as defined in claim 79, further comprising a 
key negotiating means configured to negotiate and exchange a key with the client before the 
streaming data is sent over the network to the client, the key enabling the client to decrypt the 
encrypted pavload portion of the data for play on the client. 

81. (Canceled) 

82. (Previously Presented) The apparatus of claim 78, further comprising a client 
examining means configured to examine the client during a streaming session and terminate the 
streaming session if the client has been compromised. 
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83. (Previously Presented) The apparatus of claim 82, wherein the data portion that is 
not encrypted includes at least one of a header, control data and routing data. 

84. (Previously Presented) The apparatus of claim 78, wherein during a downloading 
operation, the downloaded data is included in the data portion that is to be encrypted. 

85. (Previously Presented) The apparatus of claim 84, wherein the data portion that is 
not encrypted includes at least one of a header, control data and routing data. 

86. (Currently Amended) A shim deployed on a client, the shim comprising: 

a data receiver configured to receive partially encrypted data transmitted to the client, 
wherein another device determined a pavload portion of the data to be encrypted based on a 
format of the pavload portion of the data, wherein the format is determined by an insp e ction 
examination of that pavload portion of the data to recognize a predefined data type, ; 

a parser configured to parse the partially encrypted data to select a the pavload 
portion of the data to be decrypted; 

a decrypter configured to decrypt the pavload portion of the data selected for 
decrypting by the parser; and 

a data transmitter configured to send the decrypted data to a higher level operation 
resident on the client. 

87. (Previously Presented) The shim of claim 86, wherein an encrypted portion of the 
transmitted data includes media data, the data transmitter being further configured to send the 
decrypted media data to a media player resident on the client. 

88. (Previously Presented) The shim of claim 87, wherein the media data is streaming 
media transmitted to the client during a streaming session. 

89. (Previously Presented) The shim of claim 88, wherein the unencrypted portion of 
the data includes at least one of a header, control data and routing data. 
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90. (Previously Presented) The shim of claim 88, further comprising an analyzer 
configured to analyze a behavior of the client to detect known media piracy techniques and to 
terminate the streaming session if a known media piracy technique is detected. 

91 . (Previously Presented) The shim of claim 88, further comprising an analyzer 
configured to analyze a behavior of the client to detect suspicious client behavior and to 
terminate the streaming session if specific behavior is detected. 

92. (Previously Presented) The shim of claim 88, further comprising an analyzer 
configured to analyze a behavior of the client to detect known media piracy techniques and to 
terminate operation of at least the decrypter when a media piracy technique is detected. 

93. (Previously Presented) The shim of claim 88, further comprising an analyzer 
configured to analyze a behavior of the client to detect suspicious client behavior and to 
terminate the operation of at least the decrypter if suspicious behavior is detected. 

94. (Previously Presented) The shim of claim 88, further comprising a key negotiator 
configured to negotiate and exchange a key with the client before the data is sent over the 
network to the client, the key enabling the client to decrypt the encrypted portion of the data for 
play on the client. 

95. (Previously Presented) The shim of claim 88, wherein the streaming data is sent to 
the client from an encryption source, the shim further including a key negotiator configured to 
negotiate and exchange a key with the encryption source, the key being used by the decrypter to 
decrypt the encrypted portion of the data. 

96. (Previously Presented) The shim of claim 95 wherein the key negotiator is further 
configured to carry out the negotiating and exchanging of the key with the encryption source 
during the streaming session. 

97. (Currently Amended) A method for providing data over a network, comprising: 
determining a plurality of portions of the data; 
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determining if at least em a payload portion of the plurality of portions of the data is 
to be encrypted based an insp e ction examination of the at l e ast on e payload portion, wherein the 
insp e ction examination is to recognize a predefined data type of oth e r than a pack e t h e ad e r , and 
if the at least on e payload portion is to be encrypted, selectively encrypting at l e ast on e the 
payload portion in the plurality of portions, wherein at least one other portion remains 
unencrypted; 

authenticating a client to receive the selectively encrypted payload portion; and 
transmitting the selectively encrypted payload portion to the authenticated client. 

98. (Currently Amended) The method of claim 97, wherein authenticating the client 
further comprises the client accepting a shim transmitted from a server that is selectively 
encrypting the payload portion, and wherein the shim is configured to send back a confirmation. 

99. (Previously Presented) The method of claim 97, wherein authenticating the client 
further comprises the client transmitting a self-generated certificate. 
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